The 6 lines of code that could bring down a hospital

Using fairly rudimentary hacking techniques, researchers have exposed vulnerabilities in a variety of medical devices, most recently in a Philips (NYSE:PHG) Xper hospital management system that buckled under the force of a mere 6 lines of code.

The Xper device often connects with hospital machines and patient databases that could be compromised by someone with the know-how and motive to infiltrate the system.

Researchers at Cylance Inc. who wrote the code warn that the software security loophole could provide malicious hackers the means to crash the hospital information device at will, take control of the system and even use it as a gateway to access other devices on the same network.

Philips initially suggested that the vulnerabilities may be limited to the older generation of the Xper information management system that the researchers tested, but company officials told MassDevice.com this week that the security holes are also a problem in current generations of the product.

Officials at the U.S. Dept. of Homeland Security and the FDA have taken an interest in the investigation and Philips is working on a fix that it can release to its customers, according to the Dutch healthcare and electronics conglomerate.

Philips declined to disclose how many Xper systems are on the market "as that is competitive and business-sensitive information," strategic healthcare communications senior manager Mario Fante told us.

The Hack

Security experts Billy Rios and Terry McCorkle, who usually test security in industrial control systems, approached the Philips Xper with no prior knowledge about the device, its software or how it might be infiltrated.

They created a copy of the software for testing purposes and began scanning for open communication channels, or "ports." They managed to "discover" and access the system by doing little more than a digital version of fumbling in the dark.

Once they established a connection, Rios devised a generic code that sent the Xper system an enormous chunk of meaningless data – in this case the letter "A," thousands of times over. Software such as web browsers and operating systems can weather this barrage of nonsense, known as "fuzzing." But the Xper system crashed completely, Rios and McCorkle told us.

"You’re getting into memory space that it’s not expecting you to, and you can take advantage of that as a hacker," McCorkle said.

"Once we detected that there was a crash, we could cause a crash at will," Rios added.

After they had spotted the vulnerability, it was a matter of days before the pair had devised an "exploit" that allowed them to manipulate the system and, by proxy, any others it might be connected to.

The transition from crashing to owning the system requires some programming savvy, but the Xper device itself would have little defense against an experienced and determined hacker. Given the proliferation of malicious threats on the Internet, including a few instances in which hospital databases were held hostage by criminals overseas, it’s safe to assume at least some Xper systems are already "owned" by hackers, McCorkle said.

More than anything, the vulnerability demonstrated to Rios and McCorkle that the Xper system didn’t get proper defense testing while it was being developed.

Philips Healthcare has the security mindset built into its product development globally, Fante told us. An international team of product security officers are monitoring potential vulnerabilities and the company has protocols governing risk assessment and incident response, he said. The device maker is also working on a patch for the specific vulnerability that Rios and McCorkle uncovered and has been keeping FDA official abreast of the issue.

"Once the fix is validated, it will be released through our standard FCO process and impacted customers will be informed," Fante said.

The device

The Xper system is Philips’ personalized hospital work-flow manager, with functions for lab reporting, staff scheduling, inventory coordination and more, according to the company’s website. Apart from administrative functions and database access, the Xper system interfaces with hospital equipment such as X-ray machines and vascular monitors.

The device is not intended for sale to individuals, even if they are cybersecurity researchers, but Rios and McCorkle found a reseller online who shipped it directly to Rios’ home.

When they examined the system, Rios and McCorkle discovered their Xper device had once belonged to a large Utah hospital system, which they refused to name. They also uncovered service passwords contained in the device they believe could be a universal access point for maintenance workers.

The researchers discussed their findings during a recent taped security conference, with the maintenance credentials were blocked in the publicly available videos from the presentation.

The technique

The technique Rios and McCorkle used to access and take down the Xper system are not new or difficult to devise, they noted. Port scanners, like the 1 they used to find the open communications pathway to the Xper system, are freely available on the Internet. Fuzzers, like the 1 that crashed the Xper system, might as well be Cybersecurity 101. If the medical device industry isn’t developing with security in mind, products can reach the market with weaknesses that other industries have already encountered and overcome. That could put healthcare systems more than a decade behind in terms of security.

"Software manufacturers like Microsoft and Apple and Google, when they release software they use things called ‘exploit mitigations,’" Rios told us. "If they make a mistake in their coding and they introduce a vulnerability, what they do is make it really hard to exploit that specific vulnerability, making the attacker or exploit-writer jump through a lot of different hoops to get the exploit just right so they can take over the device."

Those types of mitigations simply don’t exist in the medical device world, he noted.

"In most of the software security world, where they’ve been looking at these types of problems for a long time, you’d need a more complicated fuzzer in order to find those vulnerabilities," McCorkle said. "A 6-line fuzzer? Anybody with any kind of technical knowledge can write that."

The investigation

After Rios and McCorkle uncovered the vulnerabilities, they weren’t really sure what to do next. They turned to Homeland Security’s Industrial Control Systems Cyber Emergency Response Team, which took over the investigation and contacted Philips and the FDA.

"Following notification by the U.S. Dept. of Homeland Security of a software security vulnerability related to the Philips Xper Information Management system, the Philips Healthcare product security team has engaged in ongoing investigation and customer notification and remediation," the company said in a press release. "Philips continues to investigate the scope and any potential impact of the identified vulnerability in the Xper IM system. Additionally, Philips continues to examine and address issues related to the public disclosure of service passwords used in healthcare products."

The company has yet to learn of any specific adverse patient events or privacy concerns related to the vulnerability exposed by Rios and McCorkle, but they’re going to be vigilant, Fante told us.

As part of its Thought Leaders in Health Law series, Epstein Becker Green have released an essential video for those in the healthcare industry. Health care and life sciences attorneys Stuart M. Gerson, Ted Kennedy Jr., and Philo D. Hall join Bob Atlas, president of EBG Advisors to examine the impact that the 2016 U.S. […]

Jodi Scott, Partner & Chris Casolaro, Associate/Hogan Lovells US LLP Although most medical devices enter the United States market by obtaining either 510(k) clearance or Premarket Approval (PMA), there are other paths available, which are less frequently invoked. Below are high-level descriptions of pathways available to device companies. 1) 510(k) notification Devices that present relatively low risk (i.e., such as […]

Tom Hoover/Senior Medical Segment Manager/Branson Ultrasonics Corporation, a business of Emerson Because the structures of many plastic products are far too complex to mold in a single piece, it might be necessary to assemble their components into a finished product using one of three joining methods: Mechanical fasteners, adhesives or plastic welds. Ultrasonic welding is […]

Oscar Ford/Business Development Manager/Preh IMA Automation Evansville Inc. Many perceive validation as complex, ill-defined, and fear-inducing. The question is, “Why?” Why does the mere mention of the word “validation” stimulate fear and anxiety for some people? The following might provide some insight into this perception: In many cases validation is not consistently described and understood because […]

Medical sensors are a particular challenge to developers because human physiology more often calls for measuring small values and doing so outside the body. Small size and low power consumption are other critical characteristics. In this vein we examine three notable and recent medical sensors: One for media-isolated pressure, one for mass airflow, and one […]

Lorenzo Cividino/Director Global Applications and Support/SL Power Electronics Power supplies are an essential part of all electronic equipment. They provide the regulated voltages and protection to the electronics, performing vital functions necessary to achieve a device’s intended purpose. Ac-to-dc power supplies, for example, serve as an interface and provide isolation between the power utility’ hazardous […]

Renishaw A position encoder is a device comprising a precision graduated scale and readhead (sensor). The encoder determines the position of the readhead on the scale and outputs this signal, in either analogue or digital formats, to a machine controller. Modern encoders may use optical, magnetic, capacitive or inductive principles to meet metrological requirements. Optical […]

The following was excerpted from Aerotech’s Linear Motors Application Guide, which is available for free download from the Aerotech website. A linear motor can be flat, U-channel, or tubular in shape. The configuration that is most appropriate for a particular application depends on the specifications and operating environment. Cylindrical moving magnet linear motors In these […]

Jim Mangan/VP Sales/Nook Industries Linear actuators provide important functions to a range of medical devices such as medical beds, operating tables, and dental chairs. A linear actuator is a mechanical device that converts energy to create straight-line motion to either lift, tilt, or move mechanical legs in and out, depending on the application. The basic […]